Authentication ?

qdivya1 at qdivya1 at
Thu Jul 26 16:30:10 UTC 2001


I realize that AUTHENTICATION works against LDAP w/o any problems.

What I really wish to focus on is AUthorization. The idea I had been
mulling over in my mind was something akin to the following:


For each NewsGroup, create a container group listing the users
that are allowed to access that news group.

The listing can be of two formats, either an explicit list of users, or
a policy/rule that describes a method of qualifying users (or a

If a "corresponding" container group is not listed for a newsgroup, see if
there is one that exists for its parent newsgroup ... If the parent does
not have a container group, then check its parent etc. ...

A default authorization rule would apply to the "root" news group.


Hopefully that helps.


On Thu, 26 Jul 2001 graeme+inn-workers at wrote:

> Date: Thu, 26 Jul 2001 08:15:29 +0100
> From: graeme+inn-workers at
> To: qdivya1 at
> Cc: inn-workers at
> Subject: Re: Authentication ?
> On Wed, Jul 25, 2001 at 01:38:49PM -0500, qdivya1 at wrote:
> >
> > I am interested in exploring two items:
> >
> > (1) Authenticating users against LDAP, and
> This works, using pamckpasswd and pam_ldap.
> > (2) Authorizing their access into Newsgroups based upon their membership
> > in a group ..
> Could you explain what you mean by this?  If you mean that only users in
> a particular group (say group 'reader') can login to the news server,
> then that is trivial.  Your nnrpd PAM configuration would like something
> along the lines of:
> nnrpd   auth    requisite
> nnrpd   auth    required group=reader
> nnrpd   auth    required
> If instead you're looking for particular groups to have access to
> particular hierarchies, a bit of hacking would be involved.  It would
> be possible to have an authenticator which returns both a user and a
> group[1].  That would require modifying nnrpd/perm.c to grok the newly
> returned field.
> It would then be possible to have access stanza which allows access to
> hierarchies based on group.  Hrm, seeing as I'm planning on working on
> code in that general area this weekend, I may look at implementing that
> as a first step.
> Of course, it's then getting to the stage that the authenticator may as
> well return a Newsgroups: line which lists the newsgroups that a user
> can access...
> [1] Possibly a list of groups.
> --
> graeme+sig at                

Divya Sundaram ----------------------------- CONDITUR IN PETRA
We don't need more strength, or greater opportunity. What we
need is to use what we have.                  - BASIL S. WALSH
--------- Motorola OneIT -- Enabling the Enterprise ----------

More information about the inn-workers mailing list